Add ssl_set_arc4_support()
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 505ce10..35771f5 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -88,6 +88,7 @@
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1
+#define DFL_ARC4 SSL_ARC4_DISABLED
#define DFL_AUTH_MODE SSL_VERIFY_REQUIRED
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC 0
@@ -125,6 +126,7 @@
int exchanges; /* number of data exchanges */
int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */
+ int arc4; /* flag for arc4 suites support */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* negotiate truncated hmac or not */
@@ -316,6 +318,7 @@
"\n" \
" min_version=%%s default: \"\" (ssl3)\n" \
" max_version=%%s default: \"\" (tls1_2)\n" \
+ " arc4=%%d default: 0 (disabled)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \
" auth_mode=%%s default: \"required\"\n" \
@@ -406,6 +409,7 @@
opt.exchanges = DFL_EXCHANGES;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
+ opt.arc4 = DFL_ARC4;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
@@ -545,6 +549,15 @@
else
goto usage;
}
+ else if( strcmp( p, "arc4" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.arc4 = SSL_ARC4_DISABLED; break;
+ case 1: opt.arc4 = SSL_ARC4_ENABLED; break;
+ default: goto usage;
+ }
+ }
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -907,8 +920,11 @@
}
#endif
+ /* RC4 setting is redundant if we use only one ciphersuite */
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
+ else
+ ssl_set_arc4_support( &ssl, opt.arc4 );
ssl_set_renegotiation( &ssl, opt.renegotiation );
ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 3fecb47..9310ed5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -107,6 +107,7 @@
#define DFL_EXCHANGES 1
#define DFL_MIN_VERSION SSL_MINOR_VERSION_1
#define DFL_MAX_VERSION -1
+#define DFL_ARC4 SSL_ARC4_DISABLED
#define DFL_AUTH_MODE SSL_VERIFY_OPTIONAL
#define DFL_MFL_CODE SSL_MAX_FRAG_LEN_NONE
#define DFL_TICKETS SSL_SESSION_TICKETS_ENABLED
@@ -167,6 +168,7 @@
int exchanges; /* number of data exchanges */
int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */
+ int arc4; /* flag for arc4 suites support */
int auth_mode; /* verify mode for connection */
unsigned char mfl_code; /* code for maximum fragment length */
int tickets; /* enable / disable session tickets */
@@ -327,6 +329,7 @@
"\n" \
" min_version=%%s default: \"ssl3\"\n" \
" max_version=%%s default: \"tls1_2\"\n" \
+ " arc4=%%d default: 0 (disabled)\n" \
" force_version=%%s default: \"\" (none)\n" \
" options: ssl3, tls1, tls1_1, tls1_2\n" \
"\n" \
@@ -704,6 +707,7 @@
opt.exchanges = DFL_EXCHANGES;
opt.min_version = DFL_MIN_VERSION;
opt.max_version = DFL_MAX_VERSION;
+ opt.arc4 = DFL_ARC4;
opt.auth_mode = DFL_AUTH_MODE;
opt.mfl_code = DFL_MFL_CODE;
opt.tickets = DFL_TICKETS;
@@ -827,6 +831,15 @@
else
goto usage;
}
+ else if( strcmp( p, "arc4" ) == 0 )
+ {
+ switch( atoi( q ) )
+ {
+ case 0: opt.arc4 = SSL_ARC4_DISABLED; break;
+ case 1: opt.arc4 = SSL_ARC4_ENABLED; break;
+ default: goto usage;
+ }
+ }
else if( strcmp( p, "force_version" ) == 0 )
{
if( strcmp( q, "ssl3" ) == 0 )
@@ -1293,6 +1306,8 @@
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
+ else
+ ssl_set_arc4_support( &ssl, opt.arc4 );
if( opt.version_suites != NULL )
{